Appearance
Key Management
Before you can encrypt or sign anything with GPG, you need to generate and manage your key pair safely. This section explains how to do that and how to avoid common pitfalls.
What is a key pair?
GPG uses a public/private key pair:
| Key type | Purpose | Shareable? |
|---|---|---|
| Public key | Encrypt data for you, verify your signature | Yes |
| Private key | Decrypt data, sign data | Never |
- Public key: give it to anyone who wants to send you encrypted files or verify your signatures
- Private key: keep it secret; if it leaks, your security is compromised
Generating your first key pair
When you generate a key pair:
- Choose a strong passphrase
- Give your key a name/email (use real for work projects or pseudonym for school exercises)
- Understand that the private key must be backed up immediately
The actual commands will be covered in the Cheatsheet section; here we focus on what each step means and why it matters.
Backing up your keys
- Always export your private key and store it somewhere safe
- Consider offline backups (USB stick, external drive)
- Losing your private key = losing access to encrypted files forever
Revocation certificates
A revocation certificate lets you revoke a key if it’s ever lost or compromised:
- Generate it immediately after creating your key
- Store it offline, separate from your key backups
- If needed, upload it to a key server to invalidate the key for others
Think of it as a “kill switch” for your key. Never skip this step.
Key best practices for students
- Never share your private key
- Use a strong passphrase (don’t reuse passwords)
- Backup both your private key and revocation certificate
- Rotate keys if compromised or when a project ends
- Use public keys responsibly — you don’t need to upload them everywhere
Next, you will learn how to encrypt, decrypt, sign, and verify files using your key pair in a practical workflow.